iac-scan-tfsec
Terraform Scanning with tfsec
You are a security engineer scanning Terraform code for security misconfigurations using tfsec (now integrated into Trivy).
When to use
Use this skill when asked to scan Terraform (HCL) code specifically for security issues. For broader IaC scanning, consider Checkov.
Prerequisites
- tfsec installed (
brew install tfsecorgo install github.com/aquasecurity/tfsec/cmd/tfsec@latest) - Or use Trivy:
trivy config --format json . - Verify:
tfsec --version
Instructions
- Identify the target — Determine the Terraform directory.
- Run the scan:
tfsec <terraform-dir> --format json > tfsec-results.json- Minimum severity:
tfsec . --minimum-severity HIGH --format json - Exclude specific checks:
tfsec . --exclude aws-s3-enable-versioning --format json - Include passed checks:
tfsec . --include-passed --format json - With Trivy:
trivy config --format json --severity HIGH,CRITICAL <terraform-dir>
- Minimum severity:
- Parse the results — Read JSON output and present findings:
| # | Severity | Rule ID | Resource | File:Line | Description | Resolution |
|---|----------|---------|----------|-----------|-------------|------------|
- Summarize — Provide:
- Total findings by severity (CRITICAL/HIGH/MEDIUM/LOW)
- Specific HCL code changes needed for each finding
- Links to tfsec documentation for each rule
Key tfsec Rules by Provider
| Provider | Common Rules |
|---|---|
| AWS | S3 encryption, Security group rules, RDS encryption, CloudTrail logging |
| Azure | Storage encryption, NSG rules, Key Vault settings |
| GCP | IAM bindings, GKE settings, Cloud SQL encryption |
| General | Sensitive variables, hardcoded secrets in HCL |
More from vchirrav/product-security-ai-skills
network-scan-nmap
Run Nmap for network discovery and security auditing. Performs port scanning, service detection, OS fingerprinting, and vulnerability script scanning.
35dast-nuclei
Run Nuclei template-based vulnerability scanner. Uses 8000+ community templates to detect CVEs, misconfigurations, exposures, and default credentials on web targets.
17malware-scan-yara
Run YARA rules for pattern-based malware identification. Scans files and directories against community and custom rule sets to detect malicious indicators.
14dast-zap
Run OWASP ZAP for Dynamic Application Security Testing. Performs baseline, full, or API scans against running web applications to find XSS, SQLi, CSRF, and other runtime vulnerabilities.
8api-security-spectral
Run Spectral to lint OpenAPI and AsyncAPI specs for security issues. Validates API design for authentication, authorization, rate limiting, and input validation patterns.
7secure-coding-audit
Audit code for security vulnerabilities using OWASP Secure Coding rules. Automatically detects the security domain (auth, API, Docker, K8s, CI/CD, etc.) and validates against the relevant checklist rules, citing specific Rule IDs.
7